2FA best practice: Disable authenticator app and force FIDO2?

Hello folks,

I’m curious what’s the best practice regarding using multiple 2FA methods with Bitwarden.

Should you disable “less secure” methods an authenticator app when you have also setup FIDO2 WebAuthn?

For example, I’ve associated three FIDO2 passkeys (two YubiKeys and an Apple TouchID/FaceID) with my Bitwarden account and also stored the printed out 2FA recovery code away at home. Should I go ahead and disable the authenticator app option in Bitwarden and thus force the use of FIDO2 as a second factor?


I mainly use Fido2 keys as indicator. But also got TOTP codes activated, only because I have a device that don’t support Fido2, that i sometimes use. That way I don’t have to reset the 2FA that is activated to gain access.
Also if I by any chance somehow should be unfortunate that my renewal of premium isn’t working I won’t be without any 2FA option. As all premium 2FA options is removed when you’re not premium anymore.

I think you need to share what device you setup as TOTP authenticator?
I wouldn’t be concerned about the TOTP protocol itself.

I always avoid the email option.

TOTP authentication is vulnerable to phishing and man-in-the-middle attacks.

@tomillr is correct. Your 2FA is only as strong as your weakest factor. Best practice would be to disable all 2FA methods except for FIDO2/WebAuthn, and to keep a copy of the 2FA recovery code safely stored (in addition, registering at least one extra key as a backup would be a good idea).

The one possible exception is if you need to use Bitwarden on the Desktop app in macOS or Linux, or if you otherwise have devices/client apps on which your FIDO2 passkeys do not work.

1 Like

Yes and all methods have vulnerabilities including FIDO2.

If he does not provide codes (when he didn’t use TOTP at login) then he will not be at risk.

1 Like

Can you link to some documented vulnerabilities of FIDO2?

Here are a few describing the vulnerabilities of TOTP:

Your citing a 2015 article from the private blog of Gabor Szathmari https://blog.gaborszathmari.me/ :slight_smile: He seems to be really into conspiracy theories.
None of the quoted articles have creditablity.

I don’t believe having TOTP enabled creates any great risk provided the client device is secure. I’m happy to be proved wrong but not by an unknown persons private blog.

Can we expect to get FIDO2 support for the desktop clients on Mac and Linux any time soon?

You have outlined a good plan. You have multiple types of WebAuthn (Yubikeys and FaceID) and multiple instances of it. You also have printed your 2FA recovery code. So, you have good redundancy. You should be safe now deleting your TOTP codes. Just be aware that you can’t sign into all Bitwarden products with WebAuthn, such as their desktop app. I would also backup your vault with an encrypted json file with the personal password option and store it somewhere safely.

Your objection to the third link notwithstanding, did you read any of the articles and the linked resources?

Are you claiming that Man-In-The-Middle attacks, Social Engineering attacks, Brute Force attacks, or clock-based attacks are not possible?

The articles I cited represent only a few examples of the ones that surfaced when doing a Google search for TOTP vulnerabilities — I just wanted to illustrate the variety of plausible attack vectors against TOTP; my goal was not provide authoritative references for attacks that have been documented in the wild. Perhaps some of the following resources are more credible/creditable to you: